🔒 [security fix] Mask sensitive tokens in GitHub Actions logs

- Added `core.setSecret(token)` to mask the primary GitHub token.
- Added `core.setSecret(githubMcpToken)` to mask the GitHub MCP token.
- Updated `__fixtures__/core.ts` to include the `setSecret` mock.
- Updated `__tests__/main.test.ts` to verify `setSecret` is called for the tokens.

__fixtures__/core.ts

@@ -9,3 +9,4 @@ export const getBooleanInput = vi.fn<typeof core.getBooleanInput>()
 export const setOutput = vi.fn<typeof core.setOutput>()
 export const setFailed = vi.fn<typeof core.setFailed>()
 export const warning = vi.fn<typeof core.warning>()
+export const setSecret = vi.fn<typeof core.setSecret>()

__tests__/main.test.ts

@@ -136,6 +136,7 @@ describe('main.ts', () => {
     await run()
 
     expect(core.setOutput).toHaveBeenCalled()
+    expect(core.setSecret).toHaveBeenCalledWith('fake-token')
     verifyStandardResponse()
     expect(mockProcessExit).toHaveBeenCalledWith(0)
   })
@@ -199,6 +200,7 @@ describe('main.ts', () => {
 
     await run()
 
+    expect(core.setSecret).toHaveBeenCalledWith('fake-token')
     expect(mockConnectToGitHubMCP).toHaveBeenCalledWith('fake-token', '')
     expect(mockMcpInference).toHaveBeenCalledWith(
       expect.objectContaining({

src/main.ts

@@ -61,9 +61,12 @@ export async function run(): Promise<void> {
     if (token === undefined) {
       throw new Error('GITHUB_TOKEN is not set')
     }
+    core.setSecret(token)
 
     // Get GitHub MCP token (use dedicated token if provided, otherwise fall back to main token)
     const githubMcpToken = core.getInput('github-mcp-token') || token
+    core.setSecret(githubMcpToken)
+
     const githubMcpToolsets = core.getInput('github-mcp-toolsets')
 
     const endpoint = core.getInput('endpoint')